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Welcome to WAS 


Welcome to WAS 


Qualys Web Application Scanning (WAS) provides organizations with the ease of use, 
centralized management and integration capabilities they need to keep the attackers at 
bay and their web applications secure. Qualys WAS enables organizations to assess, track 
and remediate web application vulnerabilities. 


Key Features 

- Crawl web applications (Intranet, Internet) and scan them for vulnerabilities 

- Fully interactive UI with flexible workflows and reporting 

- Identify web applications’ handling of sensitive or secret data 

- Customize: black/white lists, robots.txt, sitemap.xml and more 

- Supports common authentication schemes 

- View reports with recommended security coding practice and configuration 
Robust Scalable Scanning Capabilities 

- Supports scanning HTML web applications with JavaScript and embedded Flash 


- Comprehensive detection of custom web application vulnerabilities including OWASP 
Top 10 Vulnerabilities 


- Differentiates exploitable fault-injection problems from simple information disclosure 
- Profiles custom web application behaviors 


- Configures scanning performance with customizable performance level 


Qualys Cloud Platform - Benefits for Users 


New technologies implemented in the Java-based backend offer many benefits for users: 


- UI with dynamic and interactive interfaces, wizards and new report templates to present 
scan data with a wide range of presentation options. 


- Customizable template-driven reporting engine outputs reports in a variety of formats 
(html, pdf, encrypted pdf, ppt, xml, cvs). 


- Fast searching of several extensive Qualys data sets, including scan results, asset data, 
scan profiles, users and vulnerabilities. 


- Create and manage tags (static and dynamic) to group and organize web applications. 


- Dynamic distribution of scans on multiple scanners based on availability and load to 
optimize scanning of large networks, drastically reducing the overall scan time required to 
complete large scan jobs. 


Welcome to WAS 


REST API Scanning, CI/CD Integration, and More 


We support Swagger version 2.0, allowing DevOps teams to streamline assessments of 
REST APIs and get faster visibility of the security posture of mobile application backends 
and Internet of Things (IoT) services. Additionally, a new native plugin for Jenkins delivers 
automated vulnerability scanning of web applications for teams using the popular 
Continuous Integration/Continuous Delivery (CI/CD) tool. In tandem, customers can now 
leverage the new Qualys Browser Recorder, a free Google Chrome browser extension, to 
easily review scripts for navigating through complex authentication and business 
workflows in web applications. 


- Scanning of Swagger-based Representational State Transfer (REST) APIs - In addition to 
scanning Simple Object Access Protocol (SOAP) web services, Qualys WAS leverages the 
Swagger specification for testing REST APIs. Users need to only ensure the Swagger version 
2.0 file (JSON format) is visible to the scanning service, and the APIs will automatically be 
tested for common application security flaws. 


- Enhanced API Scanning with Postman Support - Postman is a widely-used tool for 
functional testing of REST APIs. A Postman Collection is a file that can be exported from 
the tool that clubs together related requests (API endpoints) and share them with other 
users. These collections are exported in JSON format. With the release of Postman 
Collection support in Qualys WAS, customers have the option to configure their API scans 
using the Postman Collection for their API. 


- Jenkins plugin - The Qualys WAS Jenkins plugin empowers DevOps teams to build 
application vulnerability scans into their existing CI/CD processes. By integrating scans in 
this manner, application security testing is accomplished earlier in the SDLC to catch and 
eliminate security flaws thereby significantly reducing the cost of remediation compared 
to doing so later in the SDLC. Download the plugin here. 


- Qualys Browser Recorder - This new Chrome extension allows users to record web 
browser activity and save the scripts for repeatable, automated testing. Scripts are played 
back in Qualys WAS, allowing the scanning engine to successfully navigate through 
complex authentication and business workflows. The Qualys Browser Recorder extension 
is free and available to anyone (not just Qualys customers) via the Chrome Web Store. 


Get Started 
Let's go! 


Get Started 


Qualys WAS is the most powerful web application scanner available. 


Let's go! 
Just log in and select WAS. 


| Modules v | 


Active Modules (12) 


Log Manager 
EM. coit iogs from your hosts and analyze them 


AssetView 
AV Asset Management, Tagging, and Search 


Cloud Agent 
CA Stay updated with network security by deploying 
agents on your hosts. 


VMDR 


DR Detect, prioritize and remediate vulnerabilities, and 
monitor using dashboards 


Continuous Monitoring 
Set up monitoring and alerting of new security risks 


Exploitation Service 

Verify and get proof of the presence of your 
vulnerabilities 

Policy Compliance 

Define, Audit and Document IT Security Compliance 


Web Application Scanning 


WAS Automated Web Application Security Assessment and 
Reporting 


Web Application Firewall 
Detect attacks and protect your web applications. 


Web Malware Detection 


Scan and Monitor Your Sites for Malware Infections 


Malware Protection Services 
Monitor your traffic and identify any malicious activity 


MPS 


File Integrity Monitoring 
IIl Monitor changes on file systems 


Available Trials (2) 


ThreatPROTECT 
Add threat intelligence feed to your existing AssetView 


Security Assessment Questionnaire 


Automate risk and compliance through questionnaire 
campaigns. 


u 
> 
AG 


Utilities 
Administration 


Get Started 
Choose the starting point 


Start by telling us about the web application you want to scan - just click Add Web 
Application. 
Web Application Scanning {v Hepw | Henry Jamesw | Logout 


Dashboard Web Applications Scans Detections Reports Configuration KnowledgeBase 


Dashboard EID every | DB Seventy | BW severty || wawar (SAFE) 
TAAA 0 0 0 0 detections Add Web Application 

0 total scanned web apps 

0 with Malware Monitoring 


| 
Catalog View AI | 
adn . 


You have no web applications as of today. 
Please add a web application to get started. 


Start Here 
al 


No records. 


Choose the starting point 
Select Blank and you'll be able to build the new web asset from scratch. 


Already have the web asset in your subscription? You might if you've already defined it for 
the WAF application. If yes just select Existing Asset and this will save you time! You won't 
need to re-enter settings like name, URL, tags. 


Web Application Creation 


Select the starting point for your web application. 


Existing Asset 


Get Started 
Add your web app settings 


Add your web app settings 


The web application name and URL are required when adding a web app from scratch. If 
you're adding from an existing asset these will be filled in for you. 


Want to scan your external. [== 
site for malware? Just turn on 
Malware Monitoring and we'll 
perform automatic daily 
malware scans. 


Step 1 of 11 Tell us about the asset you want to scan 


o9 Asset Details. vy Definition 
2 Application Details 


My Web Application 


Help Tips -Turn this on (in the i Target Detition MA at 
title bar) and get help for each ; a s 


setting as you hover over 
fields. 


E ce 


Custom Attributes. 


Usermame Jason ^s 


Your web application appears in the Web Applications tab, where you can edit the 
application settings or launch a scan on it. 


Web Application Scanning v Help v v Log out 


Dashboard WebApplications Scans Detections Reports Configuration KnowledgeBase 


Ea Web Application Management Web Applications Authentication Catalog Maps 


Search Results v | | New Web Application | | Import | | New Scan ~ | | New Schedule v 


[C] Name #Pages #Vulns Severity MDS Severity Scanned Updated ~ 


a Filter Results [E] Documentation 0 9 N/A 06 Aug 2018 06 Aug 2018 
http-//www.example.com 
ie [E] Web Application - Demo - - - NIA - 04 Dec 2017 
http-//10.113.196.87, 
MZ 
[7] Demo Web Application - 4 HIGH N/A - 04 Aug 2017 


Scan Information md 
Why use authentication? Using authentication allows our service to access to all parts of 
your web application during the crawling process. This way we can perform more in-depth 
assessment of your web application. Some web applications require authenticated access 
to the majority of their functionality. Authenticated scanning can be configured for HTML 
forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL 
client certificates). Just go to the Authentication tab, select New Record and configure an 
authentication record with access credentials. Form and server authentication may be 
combined as needed - we'll monitor the session state to ensure an authenticated scan 
remains authenticated throughout the crawl. 


Get Started 


We recommend a discovery scan first 


Warning about scans and their potential impact Web application scans submit forms 
with test data. If this is not desired you should add configurations for black lists, POST 
data black lists, and/or select the GET only method within the option profile. Keep in mind 
when these configurations are used, testing of certain areas of the web application is not 
included and any vulnerabilities that exist in these areas may not be detected. 


We recommend a discovery scan first 


A discovery scan finds information about your web application without performing 
vulnerability testing. This is a good way to understand where the scan will go and whether 
there are URIs you should blacklist for vulnerability scans. 


Go to Web Applications 
(on the top menu) and 
then select New Scan » 
Discovery Scan. 


The launch scan wizard 
walks you through the 
steps. 


Tell us the web 
application you want to 
scan and select scan 
settings (* means 
required). 


Ready to start your scan? 
Click Continue, review the 
settings, then click Finish. 


Web Application Scanning v 


Dashboard 


Web Applications 


Scans  Detections Reports 


[£] Web Application Management Web Applications 


Authentication 


Configuration KnowledgeBase 


Catalog Maps| 


New Web Application 


Search Results 
C3 oo 


Launch New WAS Discovery Scan 


Step 1 of 3 Name your scan and configure target to be assessed 
Q «0 y 
Scan Name” My Discovery Scan 
2 Scan Settings y 


3 Review And Confirm Scan Target 


Tell us the web applications you want to scan for security risks. 


© Names ) Tags 


Web Applications* 


Demo Web Application 


Cancel 


Import | | New Scan w | | New Schedule w 


Discovery Scan 
#1 Vulnerability seal) Severity 


MDS Severity 


Tum help tips: On| Off Launchhelp X 


7) REQUIRED FIELDS 


fX Y, Remove All 


Remove | View 


[ Continue | ontinue 


Tell me about the option profile 


An option profile is a set of scan configuration options. We recommend "Initial WAS 
Options" to get started. Editing options in the profile allows you to customize crawling and 


scan parameters. 


Do | need to provide authentication details? 


Is authentication needed to access the functionality of this web application? If yes be sure 
to select an authentication record. 


Get Started 
We recommend a discovery scan first 


Do I need a scanner appliance? 


Our security service provides cloud scanners for external scanning on the network 
perimeter. For internal scanning you need to setup a scanner appliance (physical or 
virtual). Go to VM/VMDR » Scans » Appliances and select an option from the New menu 
and we'll walk you through the steps. (Do you have Express Lite? Your account may be 
enabled with External scanning, Internal scanning or both). 


Double click the 
finished scan to see 


[3] Scan Management Scan List MEETS MEME eae oa DSU 


the scan view. EM» c name —————— 
ESI een na ae 


http;//10.10.26.238:80/ 
Aniek Filtere. 


The scan view 
The Overview gives you an 


overview of the scan findings. | viewmoae Scan findings overview 
3 2019-02-27 - Discovery Scan newautn 
Want to view the full scan me sonuit 
" " Scan Details 
report? Just click the View M — 
Scan Settings. Auffhenbcabon Status Mone 
Report button. Aoptestons Seamet: E s 
Action Log Start Date 27 Feb 2019 4:25PM GMT +0590 
Duraton 00:00:06. 
Crewing Time Asyessmont Time. Operating System 
00:07:49 00:00:07 Linux 2.4-2.6 ... 
Links Cotected Links Crawied Ajax Unis Crawied Requests Crawied 
12243 0 0 
Requests Performed Timeouts Unexpected Errors Avg. Response Time 
508 0 0 0.65 seconds 
Cosa j 
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The full scan report 


Each QID is a security 
check we performed 
and gathered 


uili Report Management 


Reports 


45017 Operating System Detected 


. . 150152 Forms Crawled 
inform ation on. Just 150135 Strict Transport Security Missing Header Analysis 
click the TOW to see 150126 Links With High Resource Consumption 
details. 150125 File Upload Form Found 
150115 Authentication Form found 
Be sure to check QID 150106 Content of crossdomain xml 
1 5 0009 Links Crawled 150099 Cookies Issued Without User Consent 
150087 Web Service Found 
and QID 15 0 02 1 Scan 150082 Protection against Clickjacking vulnerability 
Diagnostics to revlew 450058 Flash Analysis 
important data about 150054 Email Addresses Collected 
the scan 150041 Links Rejected 


150028 
150026 


Cookies Collected 
Maximum Number of Links Reached During Crawl 


Schedules Templates 


Get Started 
Next scan for vulnerabilities 


Scan repot x ECEE 


150025 Exception At Scan Launch 
bai 150014 External Form Actions Discovered 
tt 150010 External Links Discovered 
iai 45038 HostScan Time 
sát 6 DNSHostName 


You'll see the results 
for QID 150009 Links 
Crawled gives you a 


Information Gathered Details 


" 150009 Links Crawled 


. . . Finding # 691836* (3797014 Web Application Demo Web Application 
listing of the links Group Information Gathered Authentication Not Used 
CWE 
crawl e d y OWASP Detection Date 27 Jun 2017 5:54PM GMT+0530 
WASC 


Details 


Results 


[V] Highlight changes from previous scan 


L5 New - this link was not found in the previous scan 
_ Modified - this result was found by the previous scan but its value was different 


[M Removed - this link was not found, but was reported in the previous scan 


Next scan for vulnerabilities 


A vulnerability scan performs vulnerability checks and sensitive content checks to tell you 
about the security posture of your web application. 
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Get Started 
Next scan for vulnerabilities 


Good to Know 


What vulnerability checks are tested? We'll scan for all vulnerability checks (QIDs) listed 
in the KnowledgeBase unless you configure your option profile to do limit the scan to 
certain vulnerabilities (confirmed, potential and/or information gathered). We constantly 
update the KnowledgeBase as new security information becomes available. 


Web Application Scanning v 


EM 
. 


Click KnowledgeBase 


“4 
on the top menu. 


Dashboard WebApplications Scans  Detections Reports Configuration KnowledgeBase 


KnowledgeBase KnowledgeBase 


Search Results 

E o ame 
a Filter Results 121801 Adobe Shockwave Player Memory Corruption Vulnerabilities (APSB14-06) 
» Identification 


168429 SUSE Enterprise Linux Security update for java-1 8 0-openjdk (SUSE-SU-2016:0256-1) 


What is Severity? Each QID is assigned a severity level by our service: confirmed 
vulnerability (red), potential vulnerability (yellow) and information gathered (blue). 


Start your scan 


Go to Scans on the top Web Application Scanning — v 
menu and then select 
New Scan » 

Vulnerability Scan. CSU scan List MESSIS 


Search Results | New Sean v 
Discovery Scan 
— Name | n | 
L 


ee pepe 


Dashboard WebApplications Scans  Detections 


The launch scan wizard 


Launch New WAS Vulnerability Scan Turn help tir 1Off Launchhelp % 
walks you through the 
steps : Step 1 of 3 Name your scan and configure target to be assessed 
o Scan Details 4 (") REQUIRED FIELDS 
Tell us the web Scan Name* My Vulnerability Scan 


2 Scan Settings 


application you'd like to 
scan for vulnerabilities 
and select scan settings. 


Review And Confirm 


Scan Target 


Tell us the web applications you want to scan for security risks. 


© Names © Tags 
Ready to start your Select one or more web application names. The list includes all web applications you have access to 
scan? Click Continue, Web Applications* lea t a web applicat fX Y. Remove All 
review the settings, then Demo Web Application Remove | View 
click Finish. 
eme] 
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Get Started 
Your scan results 


Check scan progress 


The status column tells ( scanManagement Scan List PSS omen hoi os 
you the status (in this 


case Running) (Henson. NE 
| Hane, Status Links Seve 


Want more info? Z] [A] My Vulnerabity Scan EJ Running = 


Double click the scan eee D ea 
E Sq Py Discovery Scan Finished 228 - 

TOW. My Scone yo1/10.10.26.238:80/ 
Then you'll see the Scan 

b 7 this ives Scan Progress 
Progress ar gl — ~ Scan running since 00:02:00 (9 minutes remaining) 
you an estimate of PS 
when the scan will Links Collected Links Crawled Requests Performed Ayg. Response Time 
finish. 13 2 12 0.122006 seconds 


Your scan results 


Select the finished scan to see a 
preview of the scan (below the list). 


Scan List Schedules Option Profiles Defaults 


New Scan w ] 1-80 0f80 @ ey 


Name Status Progression Links Severity ScanDate ~ 
[E A Web App Discovery Scan - 2017-07-13 Submitted - - - 13 Jul 2017 m 


V] Web App Vulnerability Scan - 2017-07-12 E Finished E 10 HIGH 12 Jul 2017 m 
http/10.11,72.37 - 


i Full scan 
Preview report 


Web App Vulnerability Scan - 2017-07-12 
Web application: Demo Web Application 


Scan Launched by | 12 Jul2017 3:38PM GMT+0520 | Finished (00:08:59) 


Mode: [7] On-Demand # vulnerabilities High Severity Medium Severity Low Severity 
Authentication: None 120 40 11 69 


Scanner: WAS, Scanner 2 
Snapshot of web app 
Detections 
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The scan view 


How do I see this? Hover 
over the scan and select 
View from the Quick 
Actions menu. 


The Overview gives you 
an overview of the scan 
findings. 


Want to see the full scan 
report? Just click the 
View Report button. 


The full scan report 


Vulnerabilities are 
sorted by 
group. 

Results (138 


Vulnerabilities 


120 


 Cross-Site Scripting (45 


https://10.11.72.37/bog/parsé 

htips://10.11.72.37/?accounti 

^». 
* SQL Injection (2 

> EENNN 150047 sí 

> NENNEN 150012 Bi 


> Path Disclosure (50 


150084 UI 


> Information Disclosure (| 
> Information Gathered (4 


> Scan Details 
> Web Application Details: 
> Severity Levels 


hili Report Management 


> NENNEN 150117 Path-Based Cross-Site Scripting XSS) (19 

> MENEE 150046 Reflected Cross-Site Scripting In HTTP Header (11 

> MEM 150013 Browser-Specific Cross-Site Scripting Vulnerabilities (1 
v ME 150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities (5 
https//10.11.72.37/?account=business (Pa 


https://10.11.72.37/boq/parseAction php lon 


htips-//10.11.72.37/bog/pars VIT] Tele MTS TEES x 


Get Started 
Your scan results 


WAS Vulnerab Scan View 


View Mode Scan findings overview 


CINE Web Application Vulnerability Scan - 2019-02-25 Run #1 


Target: webapptodel 
Status: Finished 


Scan Details > 


Authentication Status: 
Applications Scanned: 
Start Date: 


None 

u 

25 Feb 2019 2:16PM GMT+0530 
00:25:33 


Scan Settings 


Action Log 


Duration: 


Crawling Time 
00:08:44 


Assessment Time 
00:16:38 


Operating System 
Linux 2.4-2.6 ... 


Links Collected 
13049 


Links Crawled Ajax Links Crawled Requests Crawled 
299 0 0 


Requests Performed Timeouts Avg. Response Time 


Unexpected Errors 
0 0.03 seconds 


Schedules Defaults 


Reports IUE Scan report X 


Click here to see 
vulnerability details 


Install Patch Ignore Retest 


ENNN 150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities 


URL: https-//10.11 7: ccount=business 

Finding # 1832237" Web Application Demo Web Application 
Patch # - Authentication Not Used 

Group Cross-Site Scripting 


CWE CWE-79 Detection Date 12 Jul 2017 3:39PM GMT+0530 

OWASP A3 Cross-Site Scripting (XSS) External References — 

WASC WASC-8 Cross-Site Scripting 

CVSS Base 43 CVSS Temporal 3.9 

Details Show 
Detection Information 

Parameter: Ithas been detected by exploiting the parameter account 


The payloads section will display a list of tests that show how the param could have been exploited to collect the information 


Access Path: Here is the path followed by the scanner to reach the exploitable URL: 


http://10.11.72.37/ 


Payloads 


Show headers... 


#1 Request 
Payl account-business$20$3Cscript$3E q g&3Drandom()$3C$2Fscripti3E 
GET https://10.11.72.37/2account-business$2083Cscript$3E q q$3Drandom()$3C&2PFscript&3E 
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Get Started 
Your scan results 


Easily find out what 
the severity levels 
mean in the Appendix. 


Report Management 


> Cross-Site Scripting 20) 
» SOL Injection (6) 

b Path Disclosure (90) 

> Information Disclosure 157) 
> Information Gathered (19) 


b Scan Details 
> Web Application Detaiis: Demo Web Application 
* Seventy Levels 


= Confirmed Vulnaratalities 
Vuteerabitties (Qj) are design Raws. prograerming errors, or mia contqurasons tat mane your enc agelcabon aed WHS aceoca90n prado uAKEPbie D matocus SIAS Depencing ON fie lever of foe sec unity risa. 


me tucceemtul explotation of a vulneraeilny can vary POM me dicioure of information tn 3 complete compromie of hé weo application INGO me weo aPC ate plas Ewen ife web appécamen unt tuy 
tomgeumaed, an explota vulnerability could stil lead to Bre wed agcitadon being used to launch aacha againat users of De wta 


‘Severity Description 
d Bane PAMAN dciósurs (e G wet aerem Type programmi) AGAGA) Cu eatin PLAE 10 dac over ofer vuleratdlas Du Wh of Pa pfonmabon Goes not mane Pe cibi abl, harder ls nt 
Raters rary De alee t ole! vnm ove Pisman about he appli abe pom orf ae Te orm mo versam of sofas mm AW Pus port (traders con mmy en [R04 brosn solem adiu 


Lovet 
Manat 
= mium SAU to scuro varane Omer ps of erae nirman mij Gac tme a fes Won of tau Cae fe Pals dier Vra 
VABnerables s T kuei typa My Sai meo ton ir /elated normale hal (inca resi n mata or On en pibl. Lammgion (vio Sandia soo ini Daure OF Varandi mhart ao rodar ever nar 
mum senor eni ypc t hane 
EEND Critical Intrucers can epit the vuhersddty to gan highly seraitve content or affect citer users of the wad acolcation. Emoia ieciuós certan types of cross-ahe scripting aed SOL neecson stacks 
gent eatery Can en [804 Pre Aes ahah) O compres We eet EN Bora dala iore olas focal Num aes ary B CASE OF Ua CCEA esa Ren ja Pos! na en appli aer 


arte hee 


| 
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Get Started 
Check out the Sitemap 


Check out the Sitemap 


The Web Application Sitemap gives you a convenient way to get a list of all pages/links 
scanned with view on the links crawled, vulnerabilities and sensitive content detected (go 
to Web Applications, select your web app and then View Sitemap from the Quick Actions 
menu). 


Web Application Scanning v 


Dashboard WebApplications — Scans Detections Reports Configuration KnowledgeBase 


E Web Application Management 


Search Results | New Web Application | | import | | New Scan w | | New Schedule w | 
Name #Pages #Vulns Severity MDS Severity 


a Filter Results [F] Documentation M] Quick Actions NIA 
http-//www.example.com 


l View 


Web Applications Authentication Catalog Maps 


Tags [E] Web Application - Demo Edit - NIA 
http://10.113.196.87/ | 
= p 6 | View Sitemap | 
7| Demo Web Application View sq" N/A 


7 20.10 
Scan Information Hip.]/10.10.20.10 Find > 


Here's a sample sitemap for a web application that has 271 total pages crawled, 306 total 
vulnerabilities and 8 sensitive content detections. 


Sitemap: Demo Web Application fax 


Use the filters below to alter list view for this application sitemap. 
Page view filters |  Crawed 271 @Rejected 0 © External 34 [Vulnerabilities 306 | ll Sensitive Contents 8 


Link in view: 
Demo Web Application 


| Actions w 1-20of21 [>|] @ $$ v 
_| Link a LinkInfo. Children Info. aem ^ 
Web Application Information 
^ 
Ell 10.10.10.2 1 E 
E Bi t0.10.10.2:443 2 27 
C 40.10.10.2:777 E 
RE 10.10.10.2:8080 i 
RE 10.10.10.3:1443 1 
A m~ 
E E 
10.10.10.8 Assessment Details 
^ EB 10.10.26.238 [-] © | 142 [E] 
t^ Total Vulnerabilities 
Wil 10.1026225:443 oon o 4 | 306 
[rj lg W 54 Level 5 
r1 1 |= 
Ell 10.10.31.210 7 DOE 
m 4 54 Level 3 
127.0.0.1 
= Bl 132 Level 2 
‘1 Bil demo.testfire.net 1 Wi 64 Level 1 
Crawling Details 
= e guitar.funkytown.vuln.ga.qualys.com E 9 
E E lamp2.vuln.qa.qualys.com E 300 
m newcastletyne.facebook.com 1 
200 
Bm readers-of-the-lost-art.org.uk 3 
C readers-of-the-lost-art.org.uk:1111 E ron 
BE readers-of-the-lost-art.org.uk:443 1 Ek 34 
B n violin.funkytown.vuln.qa.qualys.com E o CT Rejected EXIEERE 
= - 
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Get Started 
Check out the Sitemap 


Move the Sitemap to a new browser window 
Click the icon in the upper right corner to move the sitemap to a new browser window. 


Sitemap: Demo Web Application 


Use the filters below to alter list view for this application sitemap. 


Page view filters | @ Crawed 244 | @ Rejected 8 & External 36 Bl vunerabiiies 134 I Sensitive Contents 1 


Filter the Sitemap 
Click one of the page view filters. For example Vulnerabilities for current vulnerabilities. 
Sitemap: Demo Web Application 


Use the filters below to alter list view for this application sitemap. 


Page view filters | @ Crawed 271 @Rejected 0 || © External 34 (L| Sensitive Contents 8 


Drill down to see nested links 


This lets you explore the security of different parts of your applications. Double click a 
parent folder to display child links. 


Link ^ Linkinfo. Children Info. 
r3 Hover over information 
Ell 410.10.26.238 e e ae icons to display details. 
Nini aoga o H 
^a Hm. 
7] BS boq Bo Fa Ed 
O Bl zaccount-business [-] 2 vulnerabilities detected on this link 
m B ?account=checking&ID=%22"%3E%3C%3C SCRIPT %20a%... ü Level 5: 0 
Level 4: 0 
: anes: ey Level 3: 0 
B Zaccount=credit&ID=%22'%3E%3Cqss%20a%3DX157755... Ba Level 2: 2 
Bl zaccount-credit&iD-1 ao uio 


Take actions on web app links 


Create a new web application from a link, or add a link to a black list or white list. You can 
view a link in your browser - just select that row then click the link in the details panel (to 
the right). 


Link 4 LinkiInfo. Children Info. 


Folder Information 
ES Quick Actions fan ^ 
Create Web Application El. E3 Folder: http:/10.10.26.238/ 
" eu 


Pio Black Eie Vulnerabilties: 8 
— BE 10.10.31.210 Add To White List Sensitive Content: 0 


Ell 10.10.26.238 


— Bl 10.10.26.238:443 


El 127.0.0.1 
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Easily export web app links 
Download the links scanned with 


Web Application Sitemap: Demo Web Application 


Get Started 
Tip - Schedule your scans to run automatically 


their detection data in multiple formats. 


Use the filters below to alter list view for this application sitemap. 


Page view filters o Crawled 10 6 Rejected 0 E. External 5 Ej Vulnerabilities 420 8l Sensitive Contents 0 
Link in view: 
Demo Web Application 
v | [Export sitemap 1-Tof7 eg v 
= [ Download web app links.. | 
ins pieces Coena: | T Information 
Sort By b 
BA 10.10.26.238:443 s ERR 5 iE 
El 40.11.72.37 o Ho E >= 4n 
Your download report will show you scan results per link. 

Data List: Web Application Sitemap 12 Jul 2017 


Alexa Kim 
quays_ak1 


Number of records: 33 


Qualys, Inc 
1600 Bridge Parkway 
United States of America 


Created: 12 Jul 2017 17:15 GMT+0630 


Link Status # Sensitive Contents # Vulnerabilities External links Crawled links Rejectedlinks Links Sensitive Contents Links Vulnerabilities 
10.10.10.2 0 0 1 0 0 0 0 
10.10.10.2:443 - 0 0 2 0 0 0 0 
10.10.10.2:777 EXTERNAL 0 0 0 0 0 0 0 
10.10.10.2:8080 0 0 1 0 0 0 0 
10.10.10.3:1443 - 0 0 1 0 0 0 0 
10.10.10.8 EXTERNAL 0 0 0 0 0 0 0 
10.10.26.238 CRAWLED 0 5 0 1 0 0 3 
3 0 210 8 0 122 


10.10.26.238:443 CRAWLED 0 


Tip - Schedule your scans to run automatically 


We recommend you set up scan schedules to run repeatedly. This way you'll get results 
automatically (daily, weekly or monthly) and during a time window convenient for your 


organization. 


Go to Scans » 
Schedules and select 
New Schedule. 


Dashboard 


Search Results 


Web Application Scanning 


v 


Scans Detections 


Web Applications 


Reports Configuration KnowledgeBase 


ement 


Scan List Schedules Option Profiles Defaults 


New Schedule w 


v 
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Get Started 
Get the latest security status from your dashboard 


Get the latest security status from your dashboard 


Your dashboard gives you security status at a glance and it's always up to date with the 
latest scan results. This is very interactive - just click the sections, links and discover 
further details. 


Web Application Scanning Y Help w Edgar Venables w Log out 
Dashboard Web Applications Scans Detections Reports Configuration KnowledgeBase Launchascan 
Add a web application 
Dashboard All Vulnerabilities | (MEH severty EEJ severity WOW severity Malware 


Wed 06 Nov 2013 343 51 50 212 22 detections Add V 
3 total scanned web apps 
2 with Malware Monitoring 


Most Vulnerable Web Applications View All 


Web Application Name Last Scan Date Total Vulnerabilities High Med Low Severity 


Total 


Demo Web Application 01 Nov 2013 294 51 50 193 158 
157 New 
My Web Application 23 Jul2013 19 - - 1 a 0 Rogue 
O Approved 
0 Ignored 


1 In Subscription 


Your Last Scans View All Your Upcoming Scans Veo ZUM Latest Reports View All 


Scan Name Scan Date Status Severity Task Name Occurs Next Date : 
Web Application Securi. 


18 Apr 2013 


w Ir) v 2013 debe HIGH wW \ fon 3 Nov 2013 
Veb Appl  01Nov201 Finished EEI Neb Application Vulner. S Monthy — 13Nov201 Web Application Securi 
| 29 Mar 2013 


Web Appl. K« 220ct2013 Finished Web Application Vulner. [4] Monthly ^ 01Dec2013 Eum ME Securi 
ar 2013 


= umn eb Application Securi 
Web Appl. fd 040ct2013 Finished - 25 Mar 2013 


Web Application Securi. 


15 Mar 2013 


Web Appl fM 25 sep 2013 Finished 


Qus About | Terms of Use | Support 


Current vulnerability counts: High severity (levels 4 and 5), Med (level 3), Low (levels 1 


Discovered web apps, now in your Catalog (not available to Express Lite users.) 
Your latest scans (Tip - hover over the Scan Date to view date/time for each). 
Your upcoming scans (your schedules). 


1 
a 
2 
a 
3) Your most vulnerable web apps. 
4 
5 
6 
7) Easily access your latest reports. 


Easily create custom dashboards and switch views 


Focus your dashboard on areas of interest, certain web applications and production 
environments, whenever you want. You can even set a custom dashboard as the default 
for your account. 


Hover over “Dashboard” and click Change... 


Dashboard WebApplications Scans — Detections Reports Configuration KnowledgeBase 


Dashboard «sss. <.------ Click here 

Mon 22 Jun 2015 All Vulnerabilities Trey Severity CEJ Severity | 
133 total d web apps : 
64 with Malware Monitoring 10,194 1,510 1,562 
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Get Started 
Get the latest security status from your dashboard 


Tell us the web apps you'd like to include in each dashboard by selecting tags. 


Create New Dashboard x 


Add to my Dashboards ("] REQUIRED FIELDS 


Give your dashboard a name and tell us the web applications to include by selecting tags. Your dashboard will include data for web 
applications with these tags only 


Dashboard Name* Datacenter NY - 


@ Make this dashboard my default 
Add Tags to Include 


Include web applications that have any of the tags below. Add Tag | | Datacenter 


| | Datacenter EU 
[[ Datacenter Tokyo | 
[ Datacenter Paris 


F Datacenter Us 


{ Datacenter NY x 


Just click Display Now to change your dashboard view. It's that easy! 


My Dashboards x 


Tell us the Dashboard you'd like to display 


Selecta dashboard you would like to display. Each dashboard can give you an overview on different assets. Create as many dashboards 
as you like to get custom views. Choose Set as Default to display a certain dashboard by default when you access the WAS application 


Search Dashboards | New Dashboard | Delete All 


5 customized dashboards available 


Default Dashboard (Default) Click here -.... Display N 
All web applications E 


Datacenter NY Set as Default | Display Now | Edit | Delet: 


[^ NY| 


Datacenter Paris Set as Default | Display Now | Edit | Delet: 


[e Pars 


Datacenter US Set as Default | Display Now | Edit | Delet: 


por wee Arptcation] [Datacenter us 


My Web Application Set as Default | Display Now | Edit | Delet: 
[v vec Appication| 
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Tell me about the catalog 


Tell me about the catalog 


The catalog is the staging area for web applications you can choose to add to your 
subscription. The catalog requires manual triaging to know which entries are truly web 
applications that should be scanned with WAS. 


Catalog entries are processed from completed maps, vulnerability scans and WAS scans in 
your account. Catalog entries are not necessarily web applications but are simply web 
servers that responded to an HTTP request on a certain port. 

(The catalog feature is not available to Express Lite users.) 


How do | get started? 


Your catalog will be empty until you (or another user) launches maps, vulnerability scans 
using the VM application or WAS scans. Once they are complete you are ready to process 
the results. 


- Process scan results: Go to Web Applications > Catalog and click Update (above the list). 


- Process map results: Go to Web Applications > Maps, select one or more maps and then 
select Process Results. 


You'll see new catalog entries for the newly discovered web applications. You can easily 
choose to add these web applications to your account and scan them for security risks. 


Dashboard WebApplications Scans  Detections Reports Configuration KnowledgeBase 


[E] Web Application Management Web Applications Authentication Catalog Maps 


Search Results eam | Update 4 | 101-200 of 1164 bled 
a ^ 
FQDN Source Port NetBIOS Status Created x 
Open In Browser 

4 Filter Results Edit | © mysite.CN WAS Scan 80 ca 26 Jun 2020 
Statu: it 

tatus MEAT 3 mysite.CG WAS Scan 80 Uc 26 Jun 2020 
C] New Add Comment mysite.CHINTAI WAS Scan 80 cC 26 Jun 2020 
C Rogue Add Te ipii | 
—_ fo Subscription it 
a - J mysite. CRUISE WAS Scan 80 ca 25 Jun 2020 
M elete 
Le mysite.CRS WAS Scan 80 [ New | 25 Jun 2020 
Te | 
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Get Started 
Manage Detections 


You can also locate your web applications even if you don't know where they are. With our 
enhanced discovery method, if a server is running multiple virtual hosts, we can better 
identify what applications exist and add them into our WAS Catalog. The WAS Catalog is 
updated with the web applications that are detected through WAS scans but are not added 
as web assets. 


Eal Web Application Management Web Applications Authentication Detections 


IP Address FQDN ^ Port NetBIOS 
101026 235 bank vuin qa quays com 80 
Status 
10 10 10. 88 t om2k 12r2-ac com2012r2 vuln qa q. 80 COM2K12R2-DC 
New 
Rogue 202.191 140 197 torpbank com 
Approved , 
Ignored y E tunkytown vuin aa.qualys.com 80 
nS pi 
RNV 10102677 furi ytown vuln ga qualys com 80 
Operating System Quitar funkytown vul Qa qualys.com — 80 
Imo? vide nA Qu S com an 
Creation Date Preview 


http://funkytown.vuln.qa.qualys.com:80 
P sddres | FQDN funikytown vuln ga qualys 


Web application detected 
through WAS scan 


Last Update Date 


Manage Detections 


Manage all your detections in one place. The detections tab acts as a central area for 
application security vulnerability detections, management and information. We list all 
your findings (Qualys, Burp, and Bugcrowd) in the Detections tab. 


We have filters to enhance the search and quickly locate the detection type. In addition to 
the common filters, depending on your finding type, more filters specific to each finding 
type are displayed. For example, if you choose Finding Type as Burp, then filters that are 
applicable for Burp related findings are enabled and the other non-applicable filters are 
disabled. 


You can distinguish the finding type with the icon displayed in the list. 
9. Qualys detections 
e. Burp issues 


o 


- Bugcrowd submissions 
Want to import Burp findings? 


(This feature is not available to Express Lite users.) 


We recommend you to try Qualys WAS Burp extension to import a WAS finding directly 
into Burp Repeater to manually validate the vulnerability. The extension works with both 
Burp Suite Professional and Burp Suite Community Edition. 
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Get Started 
Integration with Bugcrowd 


The Qualys WAS Burp extension is available at the BApp Store, located under the Extender 
tab. To learn more about Qualys WAS Burp extension refer to this blog article at the 
Qualys community. 


Alternately, go to Detections » Burp » Import. Choose a Burp file in XML format from your 
local file system and select the web application that the Burp report applies to. 


The issues imported with your Burp reports are displayed in the Detections list. Go to 
Detections » Detections List. Select Burp in the Finding Type of the Search Filter and you 
can view issues in detail - including detection dates, status and severity. 


s== Detection Management Detection List Burp Bugcrowd 


Issue Severity enun uU | 1-153 01153 


5 
>) 


T 
QID ,^ Name Group Last Detected — Age “+, Patch 
* 


È WS — Cross-site scripting (reflected) g- 24 Jan 2019 A 


Finding Type Choose a Œ — Crosscsite scripting (reflected) 
Detection JYP e 0.0.1/mutilidae/index php [username parameter] 
(9 Qualys . 
. 


(9 Bugcrowd 


- E Cacheable HTTPS response 


s febrowsing. google. com/safebrowsing/downloads 


- E Cross-site scripting (reflected) 


Confirmed Vulnerability Level 


Integration with Bugcrowd 


Bugcrowd customers can also import approved Bugcrowd submissions into WAS account. 
Our Bugcrowd integration gives you a way to view and report on vulnerabilities identified 
by WAS and vulnerabilities found via bug bounty programs managed by Bugcrowd. 


Go to Detections > Bugcrowd > Import and choose a Bugcrowd file in CSV format from 
your local file system and select the web application that the Bugcrowd file applies to. The 
issues imported with your Bugcrowd file are displayed in the issues list. Go to Detections > 
Detections List. 


Web Application Scanning — v I] Meo Anna Meharry Logat 
Dashboard WebApplications Scans — Detections Reports Configuration KnowledgeBase 
Bugcrowd Bugcrowd Issue 1-606 eov 
Issue Status Severity. 
Group Last Detected Age im 
5- 214p 2007 104 
Filter 
Issues 
by 
Finding 
ac v 
sQLi 
seco Deme Wet Acghcaboe aua New 
ber DIBEN bIS NILATI HETANA ee Meetic tee S M Mei3e Fryt Detected Last Cetected Teres Detected 
21 Apr 2017 21 Apr 2017 
162 G3 Bs 
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Retest multiple findings without launching a full scan 


Retest multiple findings without launching a full scan 


Yes, you can easily retest the findings for vulnerabilities by launching a scan to test the 
selected multiple findings. Only potential vulnerabilities, confirmed vulnerabilities and 
sensitive contents are available for retest. You can club the multiple findings that belong 
to the same QID and web application and launch a retest in a single batch. The retest scan 
uses same settings used in the latest scan. If you cancel the retest for any of the findings, 
the retest scan is cancelled for the entire batch of findings. 


Go to Detections » 
Detections List. You can 
use filters in the left-pane 


Dashboard Web Applications Scans Detections Reports Configuration Know 


EE Detection Management [Rn S Sup | | Bugcrowd to view all findings of same 
| QID and web application. 
— ^ e L Select the findings to be 
um retested. From the Actions 
« Filter Results Clear All bcted Cross-Site Scripting (XSS) in HTTP Header 


okies. php 


— esa menu, select Retest. Once 
{eted Cross-Site Scripting (XSS) in HTTP Header you confirm, the retest 


Web Application 


domLink_Cookies php scan would be launched on 
WebAppeM. apa 
bAppeMsy Edi Severity icted Cross-Site Scripting (XSS) in HTTP Header all the selected findings at 
= pomum - one go. 
= z E jp Scripting (XSS) in HTTP Header 
Last Scan Date L- J ... Aeted Cross-Site Scripting (XSS) in HTTP Header 
hítps://10.11.72.37/boq/sboutus.htmi 
| Fixed 45 @ Refected Cross-Site Scripting (XSS) in HTTP Header 
Finding 


hitps:/10.11.72.37/boq/aboutus.htmi 


Test Authentication 


You can test authentication records for web applications you define without having to run 
a Discovery scan. You can quickly test authentication for a web application and test the 
scanners ability to authenticate to a web application. 


24 


Get Started 
High volume scanning of web applications 


Go to Web Applications » Web Applications and select the web application and select Test 
Authentication from the quick actions menu. 


Dashboard WebApplications — Scans Detections Reports Co 


[=] Web Application Management Web Applications Authen 


Search Results New Web Application | | Import | | New Scan v 


Name #Pages #Vulns 
a Filter Results F) 1590 [v] Quick Actions l 
Tags https://10.11.72.37 View | 
F] 1589 Edit 
v https://10.11.72.37 
[r] 1582 View Report 
Scan Information https://10.11.72,37 Find b 
F) 1583 
[7] Scanned E "E Open In Browser 
https://10.11.72.37 
{J Not Scanned FA 1584 Test A bl Itication 
E = — Scan 2 > 
ji ps://10. 2.37 
Schedule Information p Schedule > 


Once the authentication test scan is in Finished state, select View Report from the quick 
actions menu and view the Authentication Test scan report. 


High volume scanning of web applications 


Qualys WAS is the most scalable web application scanning solution. We’ve enhanced the 
ability to support large web application scanning programs by adding the ability to scan 
any number of web applications as a Multi-Scan. This feature enables organizations to 
scan hundreds or even thousands of web applications they may have in their enterprise 
with granular insight into what scans are running and which ones are complete. 
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Get Started 
High volume scanning of web applications 


Choose your applications - select individual apps or tags 


Take advantage of Qualys asset tagging to categorize applications that may have similar 
attributes and you can scan them together. Don't have time to tag your applications? No 
problem - users can pick and choose application names. 


L 


ReLaunch New WAS Vulnerability Scan Tum help tips: On |Off Launchhelp X 
Step 1 of 3 Name your scan and configure target to be assessed 
o Scan Details - *) REQUIRED FIELDS 
Scan Name* Web Application Vulnerability Scan - 2014-05-28 


2 Scan Settings 


Review And Confirm Scan Target 


Tell us the web applications you want to scan for security risks. 


Names * Tags 


Select one or more tagged web applications. The list includes all tags you have access to. 


Tags* Y Remove All 
f Datacenters Remove 
Frew York Remove 


canes 
— 


Select scan settings - authentication, option profile, scanner appliance 


TD 


he Multi-Scan feature gives you many options to accept defaults for the web applications 


or to override the default web application settings. 


ReLaunch New WAS Vulnerability Scan Tumheiptips.On]OIT Launch help X 
Step 2 of 3 Configure settings for your scan 
1 Scan Details wv Authentication en 


" Use the default authentication record to scan each target web application, if authentication is required 
o9 Scan Settings v 
Use default v authentication record 


3 Review And Confirm 
Note: Web applications without a default authentication record will be scanned without authentication. 


Option Profile 
Select an option profile with various scanning options. 
Option Profile* Initial WAS Options ix View | Create 
® Use this profile when the web application has no default profile 
Use this profile for all web applications 
Scanner Appliance 


Select a scanner. External scanners can be used for perimeter scanning. For scanning your internal network, select 
an appliance name or the Default 


Scanner Appliance* External £x v. 
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Get Started 
Scanning using Selenium scripts 


View the scan status of the Multi-Scan in the preview pane 


Web Application Scanning 


Dashboard 


(3) Scan Management 


Search Results 


Quick Filters 


My Scans 
Multi Scans 


Type 


‘Vulnerability Scan 
Discovery Scan 


Mode 


L Scheduled 
On-Demand 
API 


Web Application 


Web Applications 


v Help w Alexa Kim w Log Out 
Scans Detections Reports Configuration KnowledgeBase 
Scan List Schedules Option Profiles 
— i [i-aera eov 
Name Status Links Severity ScanDate v 
V] [4] Web Application Vulnerability Scan - 2014-05-28 B Running = 28 May 2014 m 
Total web applications: 3 
7] (M Web Application Vulnerability Scan - 2014-05-27 [---] Finished - 27 May 2014 m 
Total web applications: 3 
7] K& Web Application Vulnerability Scan - 2014-05-16 Finished 214 16 May 2014 m 
http://10.10.26 .238:80/ 
[Bq] Web Appi Finished 219 m 01 May 2014 m 


Discovery Scan - 2014-05-01 


http://10.10.26.238:80/ 


Preview 


Web Application Vulnerability Scan - 2014-05-28 ex 
a ty Total Scans 
[Eg] Total web applications: 3 3/3 


Scan Launched by Alexa Kim (quays_ak1) 


28 May 2014 1:12PM GMT-0700 | Running since 00:19:43 


Mode: [7] On-Demand 
Authentication: Default 


Summary 
33.33% complete 


Scanner: External = 


About | Terms of Use | Support 


View the scan status details for all the scans within a Multi-Scan 


Web Application Scanning 


Dashboard 


[3 Scan Management 


Search Results 


Quick Filters 


E My Scans 
Multi Scans 


Type 


|. Vulnerability Scan 
L Discovery Scan 


Mode 


L] Scheduled 
L On-Demand 
API 


Web Application 


Web Applications 


Y Help w Alexa Kim w Log Out 
Scans Detections Reports Configuration KnowledgeBase 
Scan List Schedules Option Profiles 

< Back to scan list Web Application Vulnerability Scan - 2014-05-28 

EIU | New Soon v | | | 1-3of3 Civ 

ali Name Status Links Severity ScanDate ~ 

[7] [A] Web Application Vulnerabiity Scan - 2014-05-28 Slice #3 Running - 28 May 2014 m 
http://10.10.26.238:8080/ 

V] [4] Web Application Vulnerability Scan - 2014-05-28 Slice #1 EJ Finished — 214 [S 28 May 2016 m 
http://10.10.26.238:80/ 

[E] KM Web Application Vulnerability Scan - 2014-05-28 Slice #2 Finished 214 IGH 28 May 2014 m 


http://10.10.26.238:443/ 


Preview 
Web Application Vulnerability Scan - 2014-05-28 Slice #1 


Web application: My Web Application 


Anien X; 


Scan Launched by Alexa Kim (quays_ak1) | 28 May 2014 1:12PM GMT-0700 | Finished (00:19:21) 


Mode: [F] On-Demand i vulnerabilities ^ High Severity Medium Severity Low Severity 
Authentication: None 133 17 26 90 
Scanner: External - 


About | Terms of Use | Support 


Scanning using Selenium scripts 


You can use Qualys Browser Recorder (QBR) to create a Selenium script. QBR is a free 
browser extension (for Google Chrome browser) to record & play back scripts for web 
application automation testing. OBR allows you to capture web elements and record 
actions in the browser to let you generate, edit, and play back automated test cases 


quickly and easily. 


It also allows you to select a UI element from the browser's currently 
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Get Started 
Virtual Patch Support 


displayed page and then select from a list of Selenium commands with parameters. You 
can use these scripts in WAS to help the scanner navigate through the complex 
authentication and business workflows in a web application. 


A common authentication mechanism used by web applications is single sign-on (SSO). 
This introduces complexity and can cause some confusion when it comes to 
authenticating and scanning with Qualys WAS. With use of OBR, you could simplify 
authentication mechanism for the scanner. For detailed steps, refer to our blog article. 


Virtual Patch Support 


WAS lets you install virtual patches for selected vulnerabilities (detections) when your 
account has WAS and WAF enabled. Once installed we'll automatically add firewall rules 
to block exploitation of the selected vulnerabilities. We've added capabilities to the WAF 
API to help you manage virtual patches. 


Web Application Scanning Y Bl Help v 


Dashboard WebApplications Scans  Detections Reports Configuration KnowledgeBase 


*- Detection Management Detection List Burp Bugcrowd 


E 
| Status — QID Name Group LastDetectedv Age 
a Filter Results J| New 150022 Syntax Error Occurred Ex e 
Target https://10.11.72.37/bog/aboutus.html View 
Web Application [7] New 150124 Clickjacking - Framable Page Ignore 
https://10.11.72.37/boo/aboutus.html 
[7] New 1 Clickjacking - X-Frame-Options header is not set irap > m Patch | 
Tags https://10.11.72.37/boo/aboutus. html A 
= [7] New 150084 Unencoded characters z Edit Severity 
p:/!10.11,72.37/randomLink/randomLink.php Install a virtual patch 
WAF required 
Lest Scan Date [7] New 5 Reflected Cross-Site Scripting In HTTP Header ( q ) External References 
http://10.11.72.37/randomLini/randomLink.php Retest 
F| New 50046 Reflected Cross-Site Scripting In HTTP Header 


Web Application ID. B — 
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Reporting 


Steps to create reports 


Select New Report, or click the + button (on the right). 


Web Application Scanning — v D4 eby  uonKmw Loot 


Dashboard Web Applications Scans Detections Reports Configuraton KnowledgeBase 


til), Report Management Reports ERIT ean Cer + 


New Bepan ous 
ome Format Type Status Size — GenerationDote 
| Report Creation 
Step 1 of 2 Tall us about the report you'd like to create Select a report 
o Details « Choose a Focus — type, in this case 
2 Target wet Adr {data (records, telas) available for me report For ne report template, Web Application 

Report type* Report. 

[Web Application Report = 

Web Agolication Report 

bema O 

Scon« ard Report 

( Catalog Report 

Report Creation 
Select web 
Step 2 of 2 Select target of your report - 
application(s) - 
lence.) 1 Details M ance ^ s REQUIRED AELDS 
olect tags and/or web applications ta report ar by tag and/or 
o Target Select Tags SE 

[ren vox 


Select Web Applications 


Web Applications | (iy) Remove àl 


No web applications selected 


Cancel | Previous ) SEDD 
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Steps to create reports 


Alternately, you could quick generate a scan report by selecting a scan from the scan list 
and then select View Report from the quick actions menu. 


Dashboard WebApplications — Scans Detections Reports Configuration 


Scan List Schedules 


Search Results | New Sean w | 


Defaults 


Option Profiles 


a Filter Results 1 


Quick Filters 


L.] My Scans 
|_| Multi Scans F 


Type 


|.) Vulnerability Scan 
[U Discovery Scan 
|.) Authentication Test 


Mode 


Name 
9f FirstScan 
http://10.10.31.25/regression app/15000 1/Case-2-With-One-Form.html 
@ 2019-02-22 - Vulnerability Scan Burp issue 
http://10.11.72.37 


ci Scan : Dynamic tag Run $30 
http.//10.11.72.37 
Gi V Scan : Dynamic tag Run #29 


http://10.11.72.37 


=) FA 2019-02-20 - Discovery Scan TestWASUI-7857 


http.//10.11.72.39 


i Gi 2019-02-20 - Vulnerability Scan TestWASUI-7857NewDNS 


NE Quick Actions 


Scan Again 
Schedule 


| Delete 
rTWsnedg 9 —- 


Similarly, you could generate a web application report using View report from the quick 
actions menu of a web application. 


Dashboard 


[=] Web Application Management 


Search Results 


a Filter Results B 


Tags 


Scan Information 


[U Scanned 
|_| Not Scanned 


Schedule Information 


Has a Scan Scheduled 
__| Discovery 
| | Vulnerability 
No Scan Scheduled 
C) Discovery 
|_| Vulnerability 


Web Applications 


Scans  Detections 


Web Applications 


Reports Configuration 


Authentication 


# Pages 
[v] 1590 Mw Quick Actions 
htips-//10.11.72.37 View 
1589 Edit 
https://10.11.72.37 
1582 Ç View Report 
https://10.11.72.37 Find > 
[] 1583 Open In Browser 
https://10.11.72.37 
Test Authentication 
F) 1584 
Scan b 
https://10.11.72.37 
Schedule b 
Ee Save As 
https://10.11.72.37 
> 1581 Add Comment 
https://10.11.72.37 Add Tags 
i] 1588 Remove Tags 
https://10.11.72.37 Purge 
r] 1586 Remove Web Assets 
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$ Vulns Severity 
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Sample Web Application Report 


Sample Web Application Report 


Web Application Scanning — v Heb | JasonKimy | Logout 


Dashboard WebApplications Scans Burp Reports Configuration KnowledgeBase 


ilı Report Manageme: 


ove Mesa TM Veb application report x 


Web Application Report "m 
Each targeted web application is listed with the total number of detected vulnerabilities and sensitive content. 

tatus New, Active, Re-Opened 
Summary Web Applications | | Vulnerabilities || Sensitive Contents | | Information Gathered 

1 150 0 18 
Findings by Severity Vulnerabilities by Status 
67 
5 139 
25 24 
1 
Vulnerabilities by Group OWASP Top 10 2013 Vulnerabilities 
75 Injection 
Broken Authentication and Session Management 
Information Disclosure 
Total vulnerabilities: 57 Cross-Site Scripting (XSS) 
Insecure Direct Object References 
m Security Misconfiguration 
Sensitive Data Exposure 
| Missing Function Level Access Control 
6 
 EEEREESEERII Cross-Site Request Forgery (CSRF) 
e ai f Using Components with Known Vulnerabilities 
: Tm i Unvalidated Redirects and Forwards 

Web Application Level 5 Level4 Level 3 Level2 Level 1 Sensitive Contents. Information Gathered 


Demo Web Application 25 1 24 67 


Results (168) 


> Vulnerabilities 
> Information Gathered 


Appendix 


> Web Application Details 
> Severity Levels = 
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Sample Scorecard Report 


Reporting 
Sample Scorecard Report 


Scorecard report-20141202 


Web applications are listed with the total number of findings sorted by severity. 


All web applications 


No filters applied 


Summary 
Findings by Severity Vulnerabilities by Group 
2000 2000 
1500 +381 1500 


1000 
700 
500 
106 
o 
Level Level Level Level Level Sensitive Information Cross-Site sal 


OWASP Top 10 2013 Detections 


WASC Top 10 Detections 


Injection | 

Broken Authentication and Session Management 
Cross-Site Scripting (XSS) 

Insecure Direct Object References 

| Security Misconfiguration 

Sensitive Data Exposure 

- Missing Function Level Access Control 
Cross-Site Request Forgery (CSRF) 

Using Components with Known Vulnerabilities. 


Unvalidated Redirects and Forwards 
o 1000 2000 3000 4000 5000 


Top 10 Vulnerable Web Applications 


| WA2 - Auth Scans | 

| Subuser WebApp Deletion 

2NEW PlatD Sched Notify (Sept 19) 
PlatD Sched Notify (Sept 19) 
Blacklist New Scan Settings check 
New Webapp in 2.2.1 

test bamboo 

Copy of New WAI 

New WAI 

Blacklist (URL) 


Top 10 Operating System Detected 


Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP / Linux 2.6 


Web Applications | | Vulnerabilities 


34 3672 
1608 
1258 | 
Path information 


Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP 


45 50 


WA2 - Auth Scans 33 3 26 57 101 
Blacklist New Scan Settings check 32 3 32 66 32 
test bamboo 30 3 25 61 34 
New Webapp in 2.2.1 26 3 33 66 35 
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Reporting 
Tips & Tricks 


Tips & Tricks 


View, edit settings and repeat 


Our reports are iterative. Just click the Edit Report button to change report settings and 
we'll create an updated report with your changes. This way you can quickly apply filters to 
the report content, like which vulnerabilities and web applications. 


ent [sor MESS UT MEI Oc Veb application report * EESO oae 


teport 


n is listed with the total number of detected vulnerabilities and sensitive content. 


2 Web Application Edit Report | ett res 


Active, Re-Opened 


[EL M WebApplications | | Vulnerabilities || Sensitive Contents | Information Gathered 


HIGH 1 150 0 18 


Do side by side comparisons 


Just click the icon in the report header and we'll open the report in a new window. This lets 
you do side by side comparisons, and easily work with multiple reports at a time. 


rss uu Web application report x [RS ule dE * 
ga Click to open 
umber of detected vulnerabilities and sensitive content. i MU in new window 
(Ears) 


[TEE | Web Applications | Vulnerabilities | | Sensitive Contents | | Information Gathered 


HIGH 1 150 0 18 


How do | save my reports? 


Use the Download option to download the report to your local machine and also save it in 
your account. 


zT MM Fur EC elem Veb application report x * 


^ 
ber of detected vulnerabilities and sensitive content. 
— Click and select a 
Download 
[Edit Report) „format (ZIP, HTML, 
Vest PDF, Encrypted 
PDF, PPT, XML, 
CSV) 


[ALL E | Web Applications | | Vulnerabilities || Sensitive Contents | | Information Gathered 


HIGH 1 150 0 19 


Reporting 
Tips & Tricks 


Your reports list is where you can view your saved reports. You can view each report 
(summary), download it, run it again, and add tags to share the report with other users. 


nilı Report Management Reports Schedules Templates Scanreport x Webapplicationreport a 


— 
| 


L| Name Format Type Status 
D Scan Report Web Archive (HTML) Scan Report Complete 
í 3 eet : " E iod 
m el 
View 
Y 
Download 
Quick Filters. (Rug | 
end Re | 
GE) WR Add Tags | 
Type Remove Tags | 


Delete | 


C] Web Application Report 
F Sean Rennt 


Set a default report format 


This saves you time! You won't need to select your favorite report format each time you 
download your report. Just select My Profile under your user name (in top right corner) 
and edit your profile settings. 


User Edit: Jason Kim (quays_ak12) 


Turn help tips: On | Off x 


Edit Mode Define user configuration 
User Details > Note: this limit applies only to WAS reports. 
Profile Settings User Limit 
- — zr 200 MB 
Roles And Scopes > User Current Usage | 
4MB 
Action Log > 


Default Download Format* 


Account Activity > 


What do the severities and levels mean? 


Just go to the Appendix and click Severity Levels. You'll find a description for each severity 
and level for each detection type (vulnerability, sensitive content, information gathered). 


> Web Application Details 
* Severity Levels 
* Vulnerabilities 
Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to 
malicious attacks. Depending on the level ofthe security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete 


compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still 
lead to the web application being used to launch attacks against users ofthe site 


Severity Level Description 

B Minimal Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of 
this information does not make the vulnerability harder to find. 
Intruders may be able to collect sensitive information about the applic ation platform, such as the precise version of software used. With this 

Em Medium information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose 
a few lines of source code or hidden directories 

Prt] r— Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source 
code disclosure or transmitting authentic ation credentials over non-encrypted channels 

Pitt | Critical Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain 
types of cross-site scripting and SQL injection attacks 

Pitti | Urgent Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users’ accounts, or obtain 


command execution on a host in the web application's architecture. 


> Sensitive Contents 
> Information Gathered 
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Customizable report templates 


Customizable report templates 


Create templates with the specific information you're interested in. This way it's easy to 
deliver the right information to application stakeholders. All your custom templates are 
saved in your account for future use. Go to Reports » Templates and select the New 
Template button to get started. 


iili, Report Management [MEE TÉ Templates 


c9 |] Name Type Owner 


A Scorecard Report - New York Scorecard Report Eric Conrad (quays_ec2) 
Tags T] Web Application Report - Detec tions Web Application Report Christina Hansen (quays ch4) 
ES El Scan Report - Web App 1 Scan Report Jason Kim (quays_ak12) 
Type m] Scan Report (default) Scan Report System 
E E Cat rt (default Report Syst 
E) Web Application Report atalog report (default) Catalog Repot ystem 
L Scan Report Oo Scorecard report (default) Scorecard Report System 
C Scorecard Report 
|.) Catalog Report o Web Application Report (default) Web Applic ation Report System 


Numerous report template settings let you configure filters such as search lists, 
vulnerability detections, vulnerabilities marked as ignored, and display settings such as 
what content to include, grouping and sorting. 


Report Template Creation oe — X 


Step 1 of 3 Tell us about this report template 
o Details w Basic Information —] 
Name* 
2 Fw My Web Application Report A 
Report Template Creation 
Display Make this the default report template for the subscription 
Choose a Focus Step 3 of 3 Define display options for your report 
The rep defines the set of data (records, fields) available for the report 
Report type' 1 Details «^ Contents Included 
Web Application Report ~ 
une " Selectthe components to include in the report. Select the graph: 
Descnption 2 Filter included only ify 
Description 
[3] Display "m prend Vulnerabilities 
mE QUE SEP uMP- S  Kt raphe Vulnerabilities. 
Report Template Creation reco NN Vulnerabilities 
Details 
Step 2 of 3 Define filters to include certain results in the report Vulnerabilities 
Appendix 
1 Details w^ Search List Filters Severity Levels 
elect a port on vulne! t 
-— o Filter EE reporter 
d 
3 Display include vunerabites associated n search ists bew Add search ist 
Severity 4 and 5 Vulnerabilities Dynami Results Grouping & Sorting 
Current report grouping configuration. Available groupil 
Exclude vunerebite ted h lits tek nest | PEERS Rane 
2. Group Remove 
3. QID Remove 
4. Web Application Remove 
Severity Levels 
on certain vulnerabilities and sensibve contents 
Specify what type of severity levels shall be used for each finding. 
© SENEE 5 4 13 p E 
ou can include vulnerabilities with certain status High , Medium and Lov 
2 New - 
+ 
@ Re-Opened Ci 
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Reporting 
Scheduled Reporting 


Want to share your templates? No problem - just tag them, just like you do for other 
objects (web applications, reports, etc) and add the tags to user scopes (use the 
Administration utility). 


Scheduled Reporting 


Schedule your report to run automatically, in the same way you schedule scans. You can 
schedule a report to run daily, weekly, or monthly or just one time only. Scheduling 
reports is a great way to get security updates based on the latest scan results and share 
them with other users. 


Go to Reports » Schedules and click New Schedule to get started 


Schedule Report Creation Turn help tips: On | Off Launch help 


Step 1 of 5 Select a report type and format 


@ Task details y Definition +) REQUIRED FIEU 


Name* 


2 Target My Web Application Report 


Scheduling 


Choose a Focus 


The report t " at definos $ tof dat field. silable for the renort FE 


Review And Confirm Report type* 
Web Application Report M 


Report template 

Web Application Report Y 
Report Format 
Select a format* 

Web Archive (HTML) Y 
Add tags to the report 
Select tags to apply to the report 


Applied Tags 


cane 
"— 
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Reporting 
Scheduled Reporting 


It's easy to configure report notifications 


Just choose Activate notification and tell us the users who should receive email 
notifications. An alert is set to users each time a report is complete with a link to 
download it, and whenever report generation fails. 


Step 4 of 5 
1 Task details 
2 Target 
3 Scheduling 


o Notification 


5 Review And Confirm 


Schedule Report Creation 


SS USUS 


Turn help tips: On |Off Launchhelp X 


Configure notifications for this report schedule 
*) REQUIRED FIELDS 


Configuration 


| Activate Notification 


Tell us who should receive alerts. Select from your distribution groups. New Group } 
Distribution Groups S 3 distribution group v. Remove All 
Security Team (3 emails) View | Remove 
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Adding Users 


Adding Users 


It's easy to add users to your Qualys subscription and grant them access to WAS. You'll 
need a Manager role to do this. 


How do | add new users? 


Use the New User work-flow provided in the Vulnerability Management application. Select 
VM/VMDR from the app picker and go to the Users section to create a new user. We'll walk 
you through the steps. 


Viewing users, their roles and permissions 


The Qualys Cloud Platform UI shows you all the users in your subscription, their assigned 
roles and permissions to the various applications which are enabled for your account. 
You'll notice newly added sub-accounts (Scanners, Readers, Unit Managers, etc) are not 
granted access to WAS automatically. 


How to grant a user access to WAS? 


Say you created a new user Christina Hans with the Scanner role and you want Christina 
to be able to scan web application for security risks using WAS. 


View the new user's permissions for applications with Qualys Cloud Platform. Go to the 
Administration utility. You'll notice for the new user WAS application is not listed. 


Administration v 


Users Action Log 


[£z] User Management User Management Role Management Defaults 
|| Username ^ Modules First Name Last Name Email Address Last Update Date Last Login Date 
[E quays_ak1 COD Us CI (73 (73 6:3 
Al Ki h Ms... 15 Jul 2017 15 Jul 2017 
Unassigned Business Uni T3 ED CO C73 CD a i S ° à 


(7] quays ch 
Christina Hans eschamp@aqualys. 15 Jul 2017 - 
Unassigned Business Unit 


Edit the new user (select the user and pick Edit from the Quick Actions menu). Under 
Roles and Scopes the user is assigned SCANNER role for VM and/or PC scanning 
(depending on your subscription settings). 
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Adding Users 


Qualys provides predefined WAS user roles to help you grant users WAS permissions 
easily. The predefined roles are WAS MANAGER, WAS SCANNER, WAS USER. 


User Edit: Christina Hans (quays_ch) Tum help tips: Or 


Edit Mode Edit role(s) and scope 


User Details L Allow user full permissions and scope (The user will have full access to everything) 
Each role grants you a set of permissions that will apply to the objects you have access to. 
Profile Settings —À 
| New role Search unassigned roles 


Roles And Scopes 
i Assigned roles Remove all 4 Unassigned roles. Add all 4 
liii ihn 


Ses ai t a t t 


Action Log SCANNER Remove UNIT MANAGER 


WAF Manager 


Account Activity 


WAS MANAGER 
WAS SCANNER 
WAS USER 
Edit Scope 
| Allow user view access to all objects (Other permissions are granted by the user's roles) 


Define what assets the user can access by tags. 
Global Scope Select | Create | Remove All 


BH Unassigned Busine... x 


Our user Christina has SCANNER role (for VM/PC) so we’ll add WAS SCANNER role to her 
account. Select WAS SCANNER then pick View from the Quick Actions menu. You'll see 
WAS SCANNER permission groups and can drill down to see the role details. This role does 
not grant permissions to add/update/purge web applications for example. 


View role details 
View the permissions for this role 


Basic Information 


Name 

WAS SCANNER 
Description 

WAS Scanner User 


Access method(s) 


UI Access Enabled 


Granted modules 


VSI Web Application Scanning 


* WAS Configuration Permissions (12) 
» WAS Schedule Permissions (3) 


» WAS Scan Permissions (3) 


Click Close to edit user settings. 
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Adding Users 


Click the Add link next to WAS SCANNER role to add it to the user's assigned roles. 
Assigned roles will look like this. 


User Edit: Christina Hans (quays_ch) Tum help tips: On|O — X 
Edit Mode Ege role(s) and scope 


User Details > L Allow user full permissions and scope (The user will have full access to everything) 


Profile Settings 


Each role grants you a set of permissions that will apply to the objects you have access to. 

SSS | Search unassigned roles | 

— 

LI SE ^ a MEII E, QAM cee 
Action Log Remove READER an 


OM UNIT MANAGER 


Account Activity 
WAF Manager 


WAS MANAGER 


WAS USER 


Update the Edit Scope section to grant the user access to web applications in your 
subscription. By default the user doesn't have access to any web applications or other 
WAS configurations. Choose one of the options. 


Assign specific tags. 


Edit Scope 


' | Allow user view access to all objects (Other permissions are granted by the user's roles) 


Define what assets the user can access by tags. 
Global Scope Select | Create | Remove All || | Search 


Add Tags to Include 


> E webappi 

> f WebApp2 

» f wn 2o03 | 

b | Windows 2000 Targets 

> «E Windows 2003 Targets N 


Win 2003 x [| Windows XP x f windows Auth x B Unassigned Busine... x 


Grant full scope (i.e. all tags) 


Edit Scope _ 


iZ] Allow user view access to all objects (Other permissions are granted by the user's roles) 


Click Save to save the user settings. 
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Role Management 


The Role Management section shows you all about the roles in your subscription. 


| Administration {v 


Users Action Log 


UT User Management Role Management Defaults 


[E] | Search for roles by entering properties... 


WAS MANAGER Edit 
Add To Users 
WAF Manager Remove From Users 


UNIT MANAGER 


SCANNER 


For each role you can view details and take actions to add to users, add permissions, 
remove permissions etc. 


The New Role option lets you create a custom role with the exact permissions you want. 


Administration Y 


Users Action Log 


[zz] User Management User Management Role Management Defaults 


[E] Search for roles by entering properties. 


Total used roles 


Click here to create 
a new custom role 


mG. 


WAS USER 
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Adding Users 


For example you can create role WAS Scanner. 


Role Creation Turn help tips: On |Off — X 


Step 1 of 3 Role Details 


Q Role details v7 Name* 
|WAS Scanner 


2 Permissions v — 


3 Review And Confi This is for demonstration purpose only. 


Grant the role access to UI and/or API. 
In the role details, choose the access methods for the user. 
Role Creation Turn help tips: On | Off 


Step 2 of 3 Edit permissions for this role 


1 Role Details PA Select how users would access this application 


UI Access 


Y) 
(2) Permissions y 


3 Select modules which this role should have access. For each role you can define which permissions would be 


granted 


Modules Search for module and add to list ial 


Role Permissions by Modules (0) 


No module has been yet granted for this role 
Select a module to add one to the role 
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Adding Users 


Grant the role access to the WAS app. In the Permissions section add select the WAS app 
from the menu provided. 


Role Creation Tum help tips: O 


Step 2 of 3 Edit permissions for this role 


Select how users would access this application 


1 


Role Details 


(2) Permissions 


3 


[L] UI Access [C] API Access 


Review And Confirm Select modules which this role should have access. For each role you can define which permissions would be granted 


Modules Y 


11 results out of 11 


Role Permissions I CM Continuous Monitoring 
Set up monitoring and alerting of new security risks 


Malware Detection 
Scan and Monitor Your Sites for Malware Infections 


SA Security Assessment Questionnaire 
LOF automate risk ana compliance through questionnaire 


campaigns. 


ThreatPROTECT 
LE Acc threat inteligence feed to your existing 
AssetView 
Web Application Firewall 
Detect attacks and protect your web applications. 


Web Application Scanning 
Automated Web Application Security Assessment 
and Reporting 


GLOBAL (permissions will be set for all modules) 
Reporting 
= 


Grant the role permissions within the WAS app. 


Role Creation Tum help tips: On |O — X | 
Step 2 of 3 Edit permissions for this role 

1 eae v [was] Web Application Scanning nd 
(2) ST v Y WAS Asset Permissions (7 of 7) 


3 Review And Confirm Æ Purge Web Asset 


I! Create Web Asset 


I! Edit Web Asset 


W Delete Web Asset 
*! View/download Selenium Script sensitive contents 


*! Edit Web Application URL 


Select and Lock/Unlock Scanner Appliance 


* Scanner Appliance Permissions (1 of 1) 
* WAS Scan Permissions (3 of 3) 
» WAS Schedule Permissions (3 of 3) 


* WAS Configuration Permissions (22 of 22) 


» WAS Catalog Permissions (4 of 4) 


Edit the user account and assign role. 
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Frequently Asked Questions (FAQ) 
Why I am unable to access the WAS module? 


Frequently Asked Questions (FAQ) 


Why | am unable to access the WAS module? 


You need sufficient privileges to access the WAS module. Non-Manager users (Scanners, 
Readers, Unit Managers) must be granted permission to access the WAS application and 
the web applications in the subscription. A Manager (or user with the Edit User 
permission) can configure roles for the users using the Administration utility. 


Follow the steps given here to assign roles to the user. 
Pre-requisite 

This procedure must be performed by a user with Manager role. 
1) Log in to Qualys using your account credentials. 


2) From the module picker, select the Administration module. 


3) From the User Management tab, select the user who is facing the issue and from the 
Quick Actions menu, select Edit. 


Administration v 


Users Action Log 


E User Management Defaults 


User Management Role Management 


g properties 


("| Username * Modules First Name Last Name Email Address Last Update Date Last Login Date 
[E quays ak1 TIm C 673 (773 6:3 
Alex Kim escham| walys.... 15 Jul 2017 15 Jul 2017 
Unassigned Business Unit E) CS C733 073 eaae 


(7] quays ch 
Christina Hans eschamp@qualys.... 15 Jul 2017 - 
Unassigned Business Unit 
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Frequently Asked Questions (FAQ) 
Why I am unable to access the WAS module? 


4) Go to the Roles and Scopes tab and select appropriate WAS Role & Scope for the user as 
per the requirement. See the "Manage User Roles" topic in the Qualys Administration 


Utility Online help. 


User Edit: Christina Hans (quays_ch) 


Edit Mode 
User Details 


Profile Settings 


Roles And Scopes 
E Assigned roles 


Action Log 


Account Activity 


If you want to give access to a web application in your subscription, go to the Edit section 
and click the Select link. Choose a web application tag and add the tag to the user's scope. 


Tum help tips: 
Edit role(s) and scope 


L Allow user full permissions and scope (The user will have full access to everything) 
Each role grants you a set of permissions that will apply to the objects you have access to. 


New role Search unassigned role: 


Remove all 4 Unassigned roles Add all ^ 
aso pem UNIT MANAGER 

WAF Manager 

WAS MANAGER 

WAS SCANNER 

WAS USER Add EN 


Edit 
Edit Scope poe 


Allow user view access to all objects (Other permissions are granted by the user's roles) 
Define what assets the user can access by tags. 


Global Scope Select | Create | Remove All 


BH Unassigned Busine. 


5) Click Save and request the user to log in again. 
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Getting Help 
Why I am unable to access the WAS module? 


Getting Help 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


WAS Community 


To know more about latest features, discussions, documents and videos related to WAS, 
you can access Qualys WAS Community page. 
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